This topic has 5 replies, 3 voices, and was last updated 6 years, 1 month ago by rohajda.

  • Author
    Posts
  • #12665
     wshen
    Participant

    The OpenIDC standard claims doesn’t include group memberships or roles. So I try to create a custom OIDC Claim groovy script to add a custom claim.

    My user data store is Active Directory, with proper configuration, the group memberships are displayed in the group tab of “Subject” section of the realm.

    However, in the custom OIDC claim script, try to use identity.getMemberships(IdType.GROUP) got an error “javax.script.ScriptException: java.lang.SecurityException: Access to Java class \”com.sun.identity.idm.IdType\” is prohibited.”

    Is there a way to allow this class to script engine?

    Thanks,
    -Wei

    #12679
     Peter Major
    Moderator

    Go to Configuration – Global – Scripting select your script type and you should be able to control the whitelist there.

    #12688
     wshen
    Participant

    Thanks, @peter-major. Works without bounce the server.

    #13959
     rohajda
    Participant

    @wshen could you share your modified OIDC Claim groovy script? I am trying to achieve same but no luck.

    Thanks in advance

    #13961
     wshen
    Participant

    @rohajda

    I created a custom claim block inside “claimAttributes” array:

    
    "roles": { claim, identity, requested ->
      identity.getMemberships(IdType.GROUP).collect { group -> 'ROLE_' + group.name }
    }
    

    Make sure add import com.sun.identity.idm.IdType at top of script.

    #13968
     rohajda
    Participant

    @wshen thanks a lot, it is working great.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?